Top 5 Ransomware ATT&CK Techniques

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

The MITRE ATT&CK framework is used as the common language among the cybersecurity community to describe adversary techniques. Since the number of these techniques is well over a hundred, the ATT&CK framework contains about 200 techniques and 400 sub-techniques. Configuring security controls to defend the organization against each technique is an infeasible task. Organizations use research reports such as Picus Red Report, CISA RVA Report, and Red Canary Threat Detection Report to prioritize ATT&CK techniques. MITRE Engenuity's The Center for Threat-Informed Defense (CTID), of which Picus is a gold affiliate, brought a new perspective to technique prioritization and released the Top ATT&CK Techniques project in May 2022.

The aim of this blog is to determine and explain the top ransomware attack techniques by examining CTID's Ransomware Top Ten List and Picus Red Report.  This blog helps security teams to prioritize ATT&CK techniques for an effective and efficient defense strategy.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

CTID Top ATT&CK Techniques Project

The MITRE ATT&CK®  Framework is a community-driven knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. MITRE ATT&CK Matrix for Enterprise - the most used matrix in the framework- consists of 14 tactics, 191 techniques, and 385 sub-techniques as of v11.3.

The Center for Threat-Informed Defense (CTID) is a non-profit research and development organization operated by the MITRE Engenuity. CTID is supported by private organizations that have sophisticated security teams. As a Gold Affiliate of CTID, Picus supports and contributes to CTID's projects.

Prioritizing the most prevalent ATT&CK techniques used by adversaries is a great starting point for operationalizing the ATT&CK framework. However, each organization's threat landscape and security infrastructure is unique. CTID's Top ATT&CK Techniques project guides security teams on prioritizing ATT&CK techniques for their security infrastructure by providing the Top ATT&CK Techniques Calculator to compile customized top ten ATT&CK techniques based on the organization's cyber defense capabilities in addition to the prevalence and impact of techniques.

Top ATT&CK Techniques Calculator

Top ATT&CK techniques use the methodology shown in the below figure to calculate an organization's top ATT&CK technique that should be prioritized. The calculation relies on three metrics: Prevalence, Choke Point, and Actionability.


Top ATT&CK Techniques Methodology

Ransomware Top Ten List by MITRE

As an example, CTID used the above methodology to compile the following list of Ransomware Top 10 ATT&CK Techniques:

1. T1486: Data Encrypted for Impact

2. T1490: Inhibit System Recovery

3. T1027: Obfuscated Files or Information

4. T1047: Windows Management Instrumentation

5. T1036: Masquerading

6. T1059: Command and Scripting Interpreter

7. T1562: Impair Defenses

8. T1112: Modify Registry

9. T1204: User Execution

10. T1055: Process Injection


Picus Red Report

Picus annually publishes the Picus Red Report and announces the top adversary techniques based on the research conducted by Picus Labs. In the latest Picus Red Report, Picus Labs inspected more than 200,000 malware samples used by the cyber threat actors and listed the ten most prevalent MITRE ATT&CK techniques used by adversaries. 

Due to the dramatic rise of ransomware attacks in recent years, the adversary techniques commonly used by ransomware threat actors got their place in the Picus Red Report.

Top 5 Ransomware ATT&CK Techniques

The following five MITRE ATT&CK techniques are the common techniques listed in CTID's Ransomware Top Ten List and Picus Red Report. These techniques are a great starting point for organizations looking to operationalize the MITRE ATT&CK against ransomware threats.

1. T1486 Data Encrypted for Impact

T1486 Data Encrypted for Impact is the signature ATT&CK technique for ransomware attacks. 

Ransomware threat actors use this technique to encrypt their victims' data via cryptographic encryption algorithms. When implemented correctly, these algorithms are practically unbreakable. For improved performance, ransomware attacks use symmetric and asymmetric encryption algorithms in combination. This method is called the "hybrid encryption approach" and allows attackers to encrypt their victim's data quickly without compromising the security of their operation.

For more detailed information, you can check our blog post on the T1486 Data Encrypted for Impact technique.

2. T1027 Obfuscated Files or Information

Security controls are good at identifying and blocking known malicious files, commands, and other types of data. However, adversaries can alter malicious data by encrypting, encoding, compressing, or other means and bypass security controls. This technique is called T1027 Obfuscated Files or Information, and it is a commonly used Defense Evasion technique. 

Adversaries mainly use four methods to obfuscate data, and these are:

  • Changing the form of the data: Adversaries compress, archive, or pack the malicious data to avoid being detected. 

  • Changing the size of the data: Adversaries increase the size of the data without impacting its functionality. If the security controls are not configured properly, they may not scan files larger than a specific size.

  • Hiding malicious data: Adversaries hide malicious data in benign-looking files to evade security controls. Stenography and HTML smuggling are commonly used for this purpose.

  • Obfuscating or removing indicators: Adversaries bypass signature-based detections by obfuscating or removing indicators of compromise (IOCs). These IOCs can be file signatures, environment variables, or section names.

    Please check our blog post for more detailed information on this technique.

    3. T1036 Masquerading

Adversaries change the features of their malicious artifacts with legitimate and trusted ones to trick users into executing them or bypass security controls. This technique is known as T1036 Masquerading, and it is a Defense Evasion technique.

Adversary use of Masquerading can be classified into four categories:

  • Masquerading file extensions: Adversaries change the file extension to represent malicious files as benign and trick users into executing them.

  • Masquerading names: Adversaries alter the name of the malicious files with legitimate applications, system utilities, and services to appear as benign and avoid detection.

  •  Masquerading file locations: Adversaries place malicious files in trusted directories to avoid detection.

  • Masquerading file signatures: Adversaries copy legitimate and signed executables' code signature and metadata information to malicious files to evade defenses.

Our blog post on T1036 Masquerading explains this technique in greater detail.

4. T1059 Command and Scripting Interpreter

Command and scripting interpreters are powerful tools that help users execute commands and simplify complex tasks. However, these interpreters are often abused for malicious activity due to their direct impact on the victim host. 

T1059 Command and Scripting Interpreter is an Execution technique that cyber threat actors use to interact with the local and remote systems during attack campaigns. This technique is the most prevalent adversary technique according to the Picus Red Report, and it is not surprising because every operating system has at least one command and scripting interpreter in its default configuration.

Please check our blog post on Command and Scripting Interpreter technique for more detailed information.

5. T1055 Process Injection

T1055 Process Injection is a Privilege Escalation and Defense Evasion technique that cyber threat actors use to mask their malicious activities and misuse other processes with elevated privileges. 

Elevated privileges allow ransomware threat actors to execute malicious code, disable defense logging mechanisms, and move laterally in the victim's network without restrictions. After gaining initial access, ransomware operators often use the T1055 Process Injection technique to gain administrator-level privileges in the infected host.

To learn more about T1055 Process Injection, please check out our blog post.

Summary

The MITRE ATT&CK for Enterprise is a great resource for organizations to defend themselves against the ever-changing cyber threat landscape. Operationalizing the ATT&CK for Enterprise matrix starts with prioritizing ATT&CK techniques. 'The Ransomware Top Ten List' of the Top ATT&CK techniques project released by the Center for Threat Informed Defense and Picus Red Report provide a road map to operationalizing MITRE ATT&CK against ransomware attacks. In this blog, we explained these studies and identified the following top five ransomware attack techniques which are common in both studies and can be used to help prioritize threat prevention and detection efforts. 

1. T1486 Data Encrypted for Impact

2. T1027 Obfuscated Files or Information

3. T1036 Masquerading

4. T1059 Command and Scripting Interpreter

5. T1055 Process Injection

Learn How Breach and Attack Simulation Helps You to Operationalize MITRE ATT&CK